The digital streaming platform Mixcloud publicly confirmed that it has been the victim of a massive data breach. The platform hacker publicly revealed to media outlets the Mixcloud data of 21 million users, which is now for sale in an underground market. The stolen data includes email addresses and IP addresses, and a smaller number of hashed passwords. Fortunately, the company does not store full credit card numbers or home addresses. Mixcloud says that it is investigating the incident, but does not yet know how the hackers gained access to the data.
The streaming services market that Mixcloud is part of is extremely competitive, and includes rivals such as Spotify, Google, Amazon, and Apple streaming services. Mixcloud allows users to upload their own mixes. The data breach could harm the brand’s reputation and cost them users and revenue.
The stolen data is now for sale on the dark web by a user with the alias A_W_S, Vice and ZDNet report, which are the publications contacted about the breach. The information is selling for $3,700 or .5 bitcoin. A user named A_W_S has previously sold information on the dark web, including data taken from the companies Canva, Chegg, and StockX.
Steps for Safeguarding User Accounts
Mixcloud has advised its users to change their passwords, even though most use a Facebook single sign-on. The company uses a technique for storing passwords called “salting” that protects hashed passwords by adding extra data to them, including all the ones stolen. Although Mixcloud said they didn’t think that any passwords had been compromised, it strongly suggested that users change them anyway, especially if they had been reusing passwords.
The common practice of reusing passwords makes data breaches like this one a potential trove for hackers. A more rigorous approach would be to create a unique password for each site, but such an approach is only remotely practical if the user has a browser that remembers the password or if they use a third-party password manager service.
Director of Forensics at SecureData, Allan Buxton, has stated that signing into a site with your social media account or Google account only allows that site to learn more information about you, your location, and likes and dislikes, all of which can be used for targeted advertisements or worse.
How We Can Help
Secure Forensics can help companies recover from a data breach. Our certified and experienced engineers can find the source of the breach, find what data was compromised, and ultimately create a court-admissible report of the evidence they found regarding the cybercrime.
Call us at 1-800-288-1407 or visit our website to learn more about how Secure Forensics can help with your cyber incident.